Taking security to the next frontier

From time to time, we invite industry thought leaders to share their opinions and insights on current technology trends to the In The Making blog. The opinions in these blogs are their own, and do not necessarily reflect the views of IBM.

Attackers always have the upper hand on the information security battlefield. They can test their attacks over and over just as Luke Skywalker and the Rebel Alliance did with the first Death Star. Although the Death Star practiced defense in depth, its own complexity (and a single fatal flaw) brought about its downfall.

IT security is no different. We operate complex infrastructure with a myriad of entrances and exits that allow users to do their work. Application developers and system administrators must keep pace with attackers to prevent the next breach.

Defense becomes much easier when people, process and technology work in tandem. That’s easier said than done:

People will still click on phishing emails, no matter how much training they receive.

Process will always be circumvented when it stands between an employee and a solution for a customer.

Technology will always have vulnerabilities.

For many organizations, a new strategy is needed to wrestle with this problem: make security invisible. That sounds great on paper, but what does it mean in practice?

People

Humans will inevitably make mistakes. George Bernard Shaw once said: “Success does not consist in never making mistakes but in never making the same one a second time.” We should all learn from our mistakes, but even that first one could lead to a security incident. If a company of 500 people allows each one to make one security-related mistake, it could be very costly.

What if there was a way to prevent someone from putting themselves in a position to make a mistake?

Process

In many companies, simply saying the word “process” will clear out a room. Organizations use process to reduce risk and variance. Excessive processes create burden for employees and they eventually find a way around them. This always reminds me of Dr. Malcolm’s famous line in Jurassic Park: “Life, uh, finds a way.”

Technology

It’s no secret that we depend upon technology during every moment of our modern lives. Technology gives us flexibility in our life, but it is also the most rigid weapon we have in our arsenal for security. I’m not asserting that being rigid is equal to being secure, but being rigid means that one plus one always equals two. Our technology does what it is programmed to do — no more and no less.

We can enforce processes with technology and prevent the users from being in a position to make a mistake. The process burden does not disappear, but it becomes clearer and enforceable. How can we reduce the burden but keep the process? It’s called secure-by-default.

More technology embraces the secure-by-default strategy now than ever before. Our mobile phones often have encryption enabled by default, we rely on more factors for authentication, and the Chrome web browser puts each tab into its own sandbox. These security layers protect users from known and unknown threats without their knowledge.

Virtualization technologies, especially containers, are surrounded by other technologies that provide strong security controls by default. Linux systems automatically apply capability restrictions, namespace isolation and mandatory access controls to these virtualized instances. These controls deliver security benefits right from the start and they allow for customization at any time.

In summary, technology works best when it prevents people from ever being in a position to make a mistake. The most successful technology enforces processes without placing a burden on the people that use it. I’m always eager to find technology that goes beyond this and decreases risk while enabling users to be more productive.

Tweets by IBM Systems

The stakes remain high for IT leaders. Not only do they have to respond to dynamic business demands in real time, they must optimize operations on their increasingly complicated multi-platform, multicloud environments– all while simultaneously managing resources and budgets. In short, the mandate for IT leaders remains: “Do more with less.” Today, IBM is announcing ...read more

Your transition to the cloud can only be successful if your data and your environment are secure. Your business, your customers and your partners depend on it. In addition, any interruption to your business can result in lost revenue, trust and ultimately reputation. At IBM, we are committed to providing solutions that maintain your data ...read more

Johan Schelling gets his best inspiration to innovate on long drives in his yellow Donkervoort sports car. Like ICU IT Services, the car is Dutch–built by an engineering innovator who challenged traditional thinking with his new designs. For Schelling, the drives through the Dutch countryside give him time to think–often about using new software technology ...read more